FTC Issues New Privacy and Security Guidance for the Internet of Things

February 6, 2015Alerts

On January 27, 2015, the Federal Trade Commission (“FTC”) issued a Staff Report on privacy and security issues related to the Internet of Things (“IoT”). The Staff Report comes roughly a year after the FTC brought its first IoT enforcement action against the manufacturer of web-connected security cameras, which signaled the FTC’s increased focus on IoT devices. Building on some of the principles of that action, the FTC’s Staff Report outlines critical recommendations for all companies that design, build, and manufacture consumer products that connect to the Internet, and reinforces the fact that IoT developers need to pay close attention to privacy and security in the years to come.

The good news (or bad news) is that the FTC’s approach to IoT devices remains very much in line with its overall approach to data security and privacy issues in other areas. The Staff Report quickly (and frequently) points out that longstanding principles regarding security, data minimization, and notice and choice continue to guide its thinking. But the FTC does indicate that even though this conceptual framework remains useful, IoT devices may warrant tweaks to established best practices.

One area where the Staff Report provides useful guidance is in the area of security. The FTC says that a company developing IoT products should implement “reasonable security,” which, it concedes, will depend on individual circumstances, including weighing factors like the amount and sensitivity of the collected data, along with the costs of remedying any security vulnerability. But permeating through much of the FTC’s recommended best practices is the need for companies to actively consider security and privacy issues—not just give token consideration to these issues. Thankfully, the FTC provides further guidance, which includes:

Security-by-Design — Companies should take deliberate steps during product development to build security into the device. In particular, the FTC recommends conducting a privacy and security risk assessment during development, where a company “consciously” considers the risks posed by collecting consumer information. A proper security risk assessment should include consideration of the sensitivity of the data along with the type and number of security risks. The FTC suggests that companies implement a “defense-in-depth” approach to products with significant risks, where security is a multilayered approach by, for example, using password protection and encryption. Companies should also build reasonable access control measures to limit the ability of unauthorized access to the product.

Security Testing — The Staff Report also recommends testing any adopted security measures before a product launches. In fact, the FTC goes out of its way to say that it will have little tolerance for security risks posed by easily discoverable issues that could have been quickly fixed before the product launch.

Employee Training — The FTC recommends that companies should train all employees about good security practices, and that the company should ensure security is addressed at the “appropriate” level of responsibility within the organization. What level is appropriate, of course, will vary significantly across organizations. What is appropriate for a ten person company is likely very different than at Microsoft, Apple, or Amazon. But like the FTC’s other guidance, it is critical for companies to give deliberate thought to how it will address security issues.

Continuous Monitoring — An important takeaway from the FTC’s report is that companies should continue to monitor its products throughout the life cycle, and take affirmative steps to patch or otherwise fix known vulnerabilities. Although the FTC says that a company may choose to limit the duration for which it provides security updates, it should “weigh these decisions carefully,” and ensure it does not mislead consumers in representations about ongoing security updates. Stated another way, companies need to make deliberate, well-reasoned, and well-explained decisions about their ongoing support for IoT devices.

Vendor Security — The Staff Report reflects the FTC’s recent focus on vendor security. Gone are the days when companies could contract away liability for handling and storing data (if those ever existed in the first place). The Staff Report reiterates that companies should retain vendors that maintain reasonable security measures, and most importantly, actively oversee the vendor’s implementation of those security measures. Simply, a company must take reasonable steps to ensure that a vendor is not a security vulnerability.

Minimize Data Collection — Not surprisingly, the FTC expressed deep concern about the unfettered collection of consumer data—regardless of whether the information is stored on a device or remotely. The FTC reasoned that vast quantities of data pose an enticing target for cybercriminals, as well as increases the risk of data misuse. IoT developers, therefore, need to match their data collection, storage, and retention practices to a legitimate business need. At a minimum, an IoT developer will need to implement reasonable limits on the collection and retention of consumer data, which the FTC calls “integral to a privacy-by-design approach.”

Related to security is one of the more noteworthy sections of the Staff Report, which relates to consumer notice and choice. The FTC reiterates that “notice and choice remains important,” especially for the collection of sensitive data. But the FTC says that notice and choice presents unique problems in the IoT context, which may necessitate a different standard than ordinary data practices. In this way, the FTC acknowledges the added complexity of providing notice on devices that may entirely lack a consumer interface. The FTC says “companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer.” This “consumer expectations” standard is obviously a highly contextual, moving target that presents few definitive answers. While the boundaries of this approach will, hopefully, become clearer in the years to come, the FTC provides one rigid boundary from the start: sensitive data should not be collected without affirmative consent.

As for what constitutes notice for IoT devices, the FTC provides a number of suggestions that anticipate many IoT devices will lack a robust consumer interface. For example, the FTC suggest companies could use a point-of-sale approach, a video tutorial to walk participants through the privacy settings, set-up wizards that include privacy settings, or robust privacy and security menus beyond just the initial set-up. While the FTC’s suggestions show its tolerance for creative approaches to providing notice in the IoT context, companies should ensure that the notice is clear, prominent, easy to understand, and not buried within long documents.

Finally, one of the more interesting parts of the Staff Report—with potentially significant implications for future IoT development—is the FTC’s purpose-based distinction. The Staff Report distinguishes between products that collect sensitive information or have physical security risks on the one hand (a remote door lock or web-connected insulin pump), and products that simply monitor the environment on the other (a home thermostat). Clearly, devices that have the ability to present safety hazards should and will be monitored differently than those that don’t. The question will be to what degree, in what ways, and by whom.